[Pkg-clamav-commits] [SCM] packaging for clamav-unoffical-sigs branch, master, updated. debian/3.3-2-9-g703c0b0

Paul Wise pabs at debian.org
Sun Jul 5 06:26:16 UTC 2009 

The following commit has been merged in the master branch:
commit 703c0b05ffb019800b19c920e973dce0b19e3bd4
Author: Paul Wise <pabs at debian.org>
Date:   Sun Jul 5 14:22:43 2009 +0800

    Run the script as the clamav user by default and ensure correct ownership of all the files when the sysadmin accepts the cron.d configuration change.

diff --git a/debian/NEWS b/debian/NEWS
index 1fa55aa..5591500 100644
--- a/debian/NEWS
+++ b/debian/NEWS
@@ -4,4 +4,9 @@ clamav-unofficial-sigs (3.5.4-1) unstable; urgency=low
   the default configuration, if you would like to keep using them
   then please edit your configuration file as directed in it.
 
+  This version switches to running the script as the clamav user
+  instead of root to enhance security. If you wish to further
+  increase security, please see README.Debian for a technique
+  for running the script as a user separate to clamav.
+
  -- Paul Wise <pabs at debian.org>  Fri, 19 Jun 2009 15:20:24 +0800
diff --git a/debian/README.Debian b/debian/README.Debian
index b0cd018..baefd33 100644
--- a/debian/README.Debian
+++ b/debian/README.Debian
@@ -4,3 +4,58 @@
 Some of the default settings have been altered, see here for more info:
 
 /usr/share/clamav-unofficial-sigs/conf.d/01-debian.conf
+
+/----------------------------------------------------------------------------
+| Enhanced security
+
+You might like to run the clamav-unofficial-sigs script as a non-root,
+non-clamav user for extra security. To get this working, please follow
+the following steps.
+
+First create a new system user and group 'clamav-unofficial-sigs' and
+add the new user to the ClamAV group.
+
+# adduser --system --no-create-home --disabled-password --disabled-login \
+          --shell /bin/false --group --home /nonexistent clamav-unofficial-sigs
+# adduser clamav-unofficial-sigs clamav
+
+Change the owner/group on the log files and data files to this user.
+
+# chown -R clamav-unofficial-sigs /var/lib/clamav-unofficial-sigs
+# chown -R clamav-unofficial-sigs /var/cache/clamav-unofficial-sigs
+# chown -R clamav-unofficial-sigs /var/log/clamav-unofficial-sigs.log*
+
+Change the owner (but not the group) of the custom data files in the clamav
+database directory to this user.
+
+# chown clamav-unofficial-sigs /var/lib/clamav/*.hdb* /var/lib/clamav/*.ndb*
+
+Change the permissions on the clamav database directory to set the
+sticky bit and group write permission bit. If you installed clamav with
+your package manager you may need to use a command other than chmod to
+make this more permanent. On Debian, please use dpkg-statoverride.
+
+# dpkg-statoverride clamav clamav 1775 /var/lib/clamav
+
+Edit the cron file and logrotate configuration to use this user.
+
+# sed -ire 's/root|clamav/clamav-unofficial-sigs/g' \
+      /etc/cron.d/clamav-unofficial-sigs /etc/logrotate.d/clamav-unofficial-sigs
+
+This setup prevents the script from running inappropriate commands as
+root and also prevents the script from modifying the official ClamAV
+signature databases.
+
+The package is not setup like this by default because packages should not
+modify the permissions of other packages files and directories.
+
+/----------------------------------------------------------------------------
+| Running as root
+
+If for some reason you want to run the clamav-unofficial-sigs script as root,
+you will need to tell the script to chown the database files like this:
+
+# echo \# Running the script as root >> /etc/clamav-unofficial-sigs.conf
+# echo clam_user=clamav >> /etc/clamav-unofficial-sigs.conf
+# echo clam_group=clamav >> /etc/clamav-unofficial-sigs.conf
+# sed -i -e '/^[^#]/s/clamav/root/g' /etc/cron.d/clamav-unofficial-sigs
diff --git a/debian/changelog b/debian/changelog
index 1c87f6f..884753f 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -3,6 +3,9 @@ clamav-unofficial-sigs (3.5.4-1) UNRELEASED; urgency=low
   * New upstream release
   * Document removal of mediam and high risk databases
   * Document that some of the default settings are altered
+  * Run the script as the clamav user by default and
+    ensure correct ownership of all the files when the
+    sysadmin accepts the cron.d configuration change.
 
  -- Paul Wise <pabs at debian.org>  Sun, 05 Jul 2009 14:12:31 +0800
 
diff --git a/debian/debian.conf b/debian/debian.conf
index cf9452b..eacc0d4 100644
--- a/debian/debian.conf
+++ b/debian/debian.conf
@@ -39,3 +39,8 @@ pkg_rm="apt-get --purge remove clamav-unofficial-sigs"
 
 # Needed before the script will operate
 user_configuration_complete="yes"
+
+# We run the script as the clamav user by default
+# so turn off the chown calls, which will fail
+unset clamav_user
+unset clamav_group
diff --git a/debian/postinst b/debian/postinst
index 15f8cea..a4d3779 100644
--- a/debian/postinst
+++ b/debian/postinst
@@ -11,6 +11,35 @@ if [ "$1" = configure ] ; then
 	if [ ! -s "$gpg_dir/publickey.gpg" ] ; then
 		cp /usr/share/clamav-unofficial-sigs/publickey.gpg "$gpg_dir/publickey.gpg"
 	fi
+
+	# Detect which user the script will run from
+	# Will be 'clamav' unless the user customised the cron script
+	user="$(grep '^[^#]\+$' /etc/cron.d/clamav-unofficial-sigs | cut -d ' '  -f 6)"
+	group="$(id -ng "$user")"
+
+	if [ "x$user" != xroot ] ; then
+
+		# Ensure the directories are all writable for the cron user
+		for dir in "$gpg_dir" "$config_dir" "$ss_dir" "$msrbl_dir" "$si_dir" "$mbl_dir" "$add_dir"; do
+			if ! dpkg-statoverride --list "$dir" > /dev/null 2>&1 ; then
+				dpkg-statoverride --update --add "$user" "$group" 0755 "$dir"
+				chown -f "$user:$group" "$dir/*"
+			fi
+		done
+
+		# Create the log file and make it writable for the cron user
+		if [ ! -e "$log_file_path/$log_file_name" ] ; then
+			touch "$log_file_path/$log_file_name"
+			chown "$user:$group" "$log_file_path/$log_file_name"
+		fi
+
+		# Make all the files written by the script writable for the cron user on upgrade
+		if [ "x$2" != x ] && dpkg --compare-versions "$2" lt 3.5.4 ; then
+			for file in `cat "$config_dir/purge.txt" 2>/dev/null` ; do
+				chown -f "$user:$group" "$file"
+			done
+		fi
+	fi
 fi
 
 #DEBHELPER#
diff --git a/debian/prerm b/debian/prerm
index b30937d..35e3a8a 100644
--- a/debian/prerm
+++ b/debian/prerm
@@ -14,9 +14,12 @@ if [ "$1" = remove ] ; then
 	libdir=/var/lib/clamav-unofficial-sigs
 	if [ "x$config_dir" = x ] ; then config_dir=$libdir/configs ; fi
 	if [ "x$gpg_dir" = x ] ; then gpg_dir=$libdir/gpg-key ; fi
+	if [ "x$log_file_path" = x ] ; then log_file_path=/var/log ; fi
+	if [ "x$log_file_name" = x ] ; then log_file_name=clamav-unofficial-sigs.log ; fi
 
 	echo $purge > $purge
 	echo "$gpg_dir/publickey.gpg" >> $purge
+	echo "$log_file_path/$log_file_name"* >> $purge
 	if [ -s "$config_dir/purge.txt" ] ; then 
 		cat "$config_dir/purge.txt" >> $purge
 	fi
diff --git a/debian/rules b/debian/rules
index 4672ed9..eda17ff 100755
--- a/debian/rules
+++ b/debian/rules
@@ -5,10 +5,12 @@
 build: build-stamp
 build-stamp:
 	dh_testdir
-	cp clamav-unofficial-sigs-logrotate debian/logrotate
+	sed -e 's_root_clamav_g' \
+	    < clamav-unofficial-sigs-logrotate > debian/logrotate
 	sed -e 's/bin/sbin/;s/\.sh//;s/ *-c *[^ ]*//' \
 	    -e 's_^\([^/#]*\)\(/[^ ]*\)_\1[ -x \2 ] \&\& \2_' \
 	    -e 's_/local__g' \
+	    -e 's_root_clamav_g' \
 	    < clamav-unofficial-sigs-cron > debian/cron.d
 	touch $@
 

-- 
packaging for clamav-unoffical-sigs

More information about the Pkg-clamav-commits mailing list